Virtually Vanished

02.27.14

Inside Japan’s Bitcoin Heist

A former Mt. Gox employee says incompetent management and faulty accounting—not virtual robbers—are the real culprits in the missing millions.

Bitcoin, the virtual currency that has been racing toward acceptance as a genuine currency, had a colossal setback this past Tuesday, when a major Bitcoin exchange, Mt. Gox, based in Tokyo, went off-line. Thousands of customers are unable to withdraw deposits and CEO Mark Karpeles is not talking to the press about what happened. Fears about the virtual currency’s security have multiplied with the closing of Mt. Gox. It appears that the theft of several hundred thousand Bitcoins from the company forced it to close the exchange. Speculation is rampant as to what exactly happened.

The Daily Beast was able to speak with a former employee of Mt. Gox, on the condition of anonymity, due to a nondisclosure agreement with the company. According to the former employee’s testimony and other expert analysis, it seems very likely that the collapse of Mt. Gox was not a criminal fraud but the result of poor management, faulty accounting, and system bugs that went unfixed many months after being recognized by the CEO himself. The final nail in the coffin was the unauthorized release of an internal document that was supposed to serve as the groundwork for saving the company. It is unclear who leaked the document—which was an unfinished draft of a plan of action.

“Essentially,” said the former employee, “Mt. Gox was a dysfunctional organization. Nobody was doing accounting reconciliation and there was an exploitable fault in the transaction system that allowed people to get paid twice—or in other words, withdraw more or less the same amount of Bitcoins two times. Think of it this way—if Bitcoins were like frozen hamburger patties being served at a diner with a touchscreen menu, someone figured out that by tapping the screen twice you could get two hamburgers for the price of one. One day someone at the diner went to the freezer and realized that they were completely out of hamburgers—and they’d only served half the customers they thought they had.”

Bitcoin is a virtual currency that is produced by a computer program and is supposed to be extremely secure. Bitcoins.com explains it as follows “All newly mined Bitcoins, along with every transaction, are publicly recorded and verified through the network. This record is known as the blockchain and is one of the features that helps keep the system secure from fraud and abuse. Bitcoins cannot be duplicated or forged.”

And it does seem true that Bitcoins are very hard to forge or duplicate. Unfortunately, if you know what you’re doing, they may be easy to steal. Or if you’re not careful, they may be very easy to lose. Security in the transactions is paramount.

Flaws in the system became apparent on Feb. 7, when Mt. Gox was forced to halt withdrawals of Bitcoins. In a press release on Feb. 10, the company said it had suspended withdrawals because of a software flaw that would allow people trading the virtual currency to defraud the exchange. The announcement drew the ire of the Bitcoin community.

Jason Maurice, chief technology officer of Wiz Technologies Inc., says that Mark Karpeles, who corresponded on the Internet under the name MagicalTux, seemed to lack a good sense of cybersecurity. He asserts that the CEO admitted to flaws in the system on an Internet Relay Chat (IRC) in October 2013.

Maurice explains, “Mark seemed to acknowledge, but misunderstood the severity of the security issue, and didn't implement a correct fix at the time. By February 2014, he realized the severity of the bug and came up with a proper fix, but by then it was too late, the damage had been done. He basically dismissed a multimillion-dollar bug in his software that any decent software engineer would have immediately realized was a huge issue. Any financial institution would have a huge quality assurance team to find such bugs, but for Mark it was all up to him. Quite amazing.”

Several attempts were made to contact Karpeles for comment or his version of events, but he did not reply as of this posting.

Maurice and his friends, who have a total of $40,000 in Bitcoins in limbo, have been exhaustively examining what went wrong with the firm. “From our analysis of [the record of Bitcoin transactions], it appears Mt. Gox might not only have leaked money through a bug, but might have also accidentally thrown away Bitcoins. It’s hard to believe this level of incompetence,” he said.

“He’s a workaholic and a geek, but a good-hearted geek. He just has very limited management skills, a little hubris, and didn’t pay attention to accounting. He’s only 27 or 28 years old.”

The former employee says staff at Mt. Gox were first made aware of the massive amounts of missing Bitcoins on Friday of last week.

“Mt. Gox kept 90 percent of their Bitcoins in cold storage—in paper wallets and USB keys. They rented safety-deposit boxes in banks and when they needed to refill the transaction accounts, they took the Bitcoins out of storage, and deposited them into the system. Well, there was no reconciliation in the accounting sense between the cold storage and the transactions done. As long as money was coming in at a steady pace, no one realized that actually they had been losing huge amounts of Bitcoin. And when they did—all hell broke loose.”

Karpeles informed the former employee that an estimated 820,000 Bitcoins were unaccounted for—at the time, the equivalent of close to $500 million. The former employee was told the Bitcoins had possibly been siphoned off over several months by users exploiting flaws in the system. In particular, there seemed to be a system glitch that made it possible to get a payment reissued even after it had been already received. He says that because the firm hadn’t hired an accounting firm to keep the books or an auditor, the theft was undetected.

Teikoku Data Bank, Japan’s largest and most respected credit-rating agency, in Julyof last year reviewed the company and gave it a D4, the worst possible rating a company can receive on their scale. One of the reasons for the low rating was the lack of qualified accounting staff at the company.

On Saturday morning, key members of the Mt. Gox staff and consultants gathered and brainstormed for a way to keep the company solvent, protect the assets, and move forward. They drafted a document entitled “Crisis Strategy Draft,” which was meant to be used as a platform to show investors the problems and work out solutions. On Sunday, Karpeles resigned from the board of the Bitcoin Foundation, which oversees and develops the virtual currency. He reportedly told the organization of the troubles on the horizon.

“The Crisis Strategy Draft was only shown to several people, including the Winklevoss twins and Second Market executives. The reason for this was that if it got into the public domain, it would be disastrous. By Monday evening, it had been leaked to the blogger The Two-Bit Idiot, who published it on the Web. By Tuesday morning Japan time, it was all over the Internet. At this point, our last-minute efforts to discreetly refinance the company and avoid insolvency had pretty much been sabotaged,” the former employee said.

On the same day, Mt. Gox closed down.

The Winklevoss twins are heavily involved in the Bitcoin trade and at one time claimed to have cornered a significant amount of all Bitcoins in circulation. Second Market provides solutions for private companies and investment funds to simplify private capital markets. There is no solid evidence to suggest who leaked the document.

The former employee believes that Mark Karpeles has not acted maliciously or for his own profit.

“He’s a workaholic and a geek, but a good-hearted geek. He just has very limited management skills, a little hubris, and didn’t pay attention to accounting. He’s only 27 or 28 years old.”

There were words of praise for their former boss.

“Mt. Gox originally began as a Magic The Gathering Cards e-exchange. The company then was turned into a Bitcoin exchange outfit around 2010 and Mark took it over in 2011. He wrote most of the code—he created a fantastic [application interface]. It’s a wonderful platform for trading Bitcoin. The problem isn’t Bitcoin—the problem was the way Mt. Gox was run. And now it’s probably going to be run into the ground.”

It’s not clear yet when Karpeles became aware of the full extent of the missing Bitcoins at the company. However, filings with Japan’s ministry of justice show that he moved from his home in Tokyo’s Setagaya ward to a new location in Meguro Ward on Jan. 19 and registered his change of address on Feb. 3.

Yoshihide Suga, a top government spokesman, stated Wednesday that authorities, including the police and Japan’s Financial Services Agency, were collecting information on the Bitcoin trade in Japan and considering regulatory action. For those individuals, some with as much as $150,000 worth of Bitcoin trapped in the Mt. Gox system, whatever regulatory action that does come will probably come far too late. In addition, there are reports that U.S. authorities have begun investigating Mt. Gox and subpoenaed individuals who worked for or still work for the company.

Karl-Friedrich Lenz, professor of German and European law at Aoyama Gakuin University in Tokyo and author of the academic paper, Legal Issues of the New Internet Currency Bitcoin in EU Law and German Law, said he believes Mt. Gox should have been treated as a banking institution and not allowed to operate without a license under current Japanese law. He believes that because Mt. Gox accepts deposits and money can be wired to its accounts that it is more or less a financial institution.

“I went to the Financial Services Agency today and asked to speak with someone on this issue. After much argument, someone from the banking division accepted my report and I hope they will review it.”

He adds, “If Mt. Gox had been treated like a bank, this problem would have never happened. It would have had to have proper accounting and people with financials skills to get licensed. It’s unlikely that the Japanese government would have granted such authority to a company run by a 27-year-old computer genius with no financial background.”